Bank Internet Links Can Give Hackers Keys to Vaults

By John P. Mello Jr.
May 13, 2013 5:00 AM PT

Willie Sutton once said that he robbed banks because that's where the money was. If Sutton were living today, he might have made the career move to hacker.

That would allow him to do what he liked to do best -- steal money -- on a global scale, which is what a ring of bank robbing hackers have been doing. Eight of the alleged cybercrooks were arrested in the U.S. last week.

The ring used prepaid credit cards issued by a bank in the United Arab Emirates. They hacked into banking systems to increase the credit lines on the cards, and then went on an ATM cash withdrawal spree around the world.

"Many banking systems today are connected directly or indirectly to the Internet," Ori Eisen, CEO and founder of
41st Parameter, told TechNewsWorld. "This brings unintentional exposures, which allows criminals to exploit them to their advantage."

Given the scale of the global credit card networks, "it is almost impossible to detect every kind of attack," he said. "Similar to fighting terrorism, you can be successful in preventing something 100 times, but the bad guys only need to be successful once."

Man-in-the-Browser Attacks

The war against digital bank robbers has been going strong for some time now, according to a report released in April by
NSS Labs.

"For at least the last six years, fraudsters have leveraged advanced botnet malware to wage an epic battle against banks across the globe, and despite banks recently having gained the upper hand, fraudsters have successfully stolen hundreds of millions of dollars," wrote Ken Baylor, the author of the report.

The most common and effective malware for online banking fraud uses man-in-the-browser attacks, which exploit browser flaws to put traps or fake transactions in Web pages. Most MITB malware is modeled on one of the most successful programs of its kind -- the Zeus Trojan, Baylor said.

Most modern MITB malware is created in Russian-speaking countries, he added, and typically the attacks begin in Europe and spread to the U.S.

Agility Through Sharing

If anything has become apparent in recent times, it's that the cyberadversaries of both the public and private sector have proven to be more agile in mounting their attacks on their targets than those targets are in defending themselves. However, that can change with better information sharing by defenders.

"Our adversaries share information better than we do, and they have a better picture of the puzzle than we do," Phyllis Schneck, vice president & chief technology officer for the global public sector of
McAfee, told TechNewsWorld.

A big reason why the cybercriminals are more agile? "Our adversaries don't have legal boundaries or competitive boundaries or national boundaries," she said.

Without the boundaries that create civil society, "our adversaries work with a lot more agility and they execute more quickly," Schneck added.

One advantage that defenders have over attackers is knowledge of their neighborhoods. Defenders have the ability to display that knowledge almost like a weather map to identify the presence of malicious intent.

"We can do that at machine speed with computing today, so we could build resilient networks at the speed of light," Schenk said. "What is keeping us from doing that is the ability to share the pieces of the puzzle between companies and between the private sector and government."

Software Security Training

With demand for cybersecurity professionals rising, training is becoming more and more important for companies of all sizes. This week, software companies will be getting a boost for their training needs through a program being launched by SAFECode.

SAFECode, a non-profit organization dedicated to software security training, will release on Tuesday its first set of free online security engineering courses in the form of on-demand webcasts.

"The idea is that any company or organization that would like to start an in-house software security program can go to this site and view these courses as building blocks for that,"
SAFECode Policy Director Stacy Simpson told TechNewsWorld.

The courses also allow information to be harmonized across companies, added SAFECode executive director and former White House cybersecurity advisor Howard Schmidt.

"While there's always corporate culture differences, the basic principles of secure software development are pretty consistent," he told TechNewsWorld. "This way companies can have better consistency throughout development."

Among the subjects covered in the initial set of training models will be authentication mechanisms, Windows access controls, and Linux and Mac authorizations.

Breach Diary

May 7. Tennessee convenient store chain Mapco discloses that hackers compromised its computer systems and warns customers who made payment card purchases from March 19-25, April 14-15 and April 20-21 that their financial information is at risk. However, the company is not sure yet if any payment card information was compromised.

May 8. Name.com forces its users to reset their passwords after it discovers its servers had been breached. In a letter to customers, the domain register said that usernames, email addresses, encrypted passwords as well as encrypted credit card information may have been compromised.

May 8. Lutheran Social Services of South Central Pennsylvania notifies some 7300 current and past residents that their personal information could be at risk after malware was discovered on one of the agency's computers. However, no evidence has been found yet that any account information has been compromised.

May 9. Javelin Strategy & Research releases report estimating that $707 million in fraud will occur due to data breach at Global Payments in March 2012. It's estimated that 1.5 million cardholders were put at risk by the attack on the credit card processor.

May 9. Missouri House of Representatives approved and sent to Senate bill containing provision that state agencies be required to report to citizens any unauthorized access to their personal data maintained by the agencies.

May 9. Raleigh (N.C.) Orthopedic Clinic notifies 17,300 of data breach resulting when their X-rays were harvested for silver by precious metal thieves. Information accompanying the x-rays, which were destroyed in the extraction process, included names and dates of birth of patients.

May 9. Washington Administrative Office of the Courts reports that more than 160,000 Social Security numbers and one million driver's license numbers may have been compromised in a data breach in February.